Juniper Secure Analytics

(1)

Juniper Secure Analytics

Managing Vulnerability Assessment

Release

2014.4

(2)

Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

The information in this document is current as of the date on the title page.

YEAR 2000 NOTICE

Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.

END USER LICENSE AGREEMENT

The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted at

(3)

List of Tables

About the Documentation . . . ix

Table 1: Notice Icons . . . x

Table 2: Text and Syntax Conventions . . . x

Part 1 Juniper Secure Analytics Vulnerability Assessment

Chapter 2 Managing Beyond Security Automatic Vulnerability Detection System Scanner . . . 5

Table 3: Beyond Security AVDS Vulnerability Scanner Authentication Options . . . 6

Chapter 6 Managing an IBM Security Guardium Scanner . . . 25

Table 4: IBM AppScan Enterprise Scanner Authentication Options . . . 26

Chapter 10 Microsoft SCCM Scanner . . . 41

Table 5: Microsoft SCCM Parameters . . . 43

Chapter 12 Managing Nessus Scanner . . . 49

Table 6: Nessus Scheduled Result Authentication Options . . . 54

Chapter 13 Managing NMap Scanner . . . 57

Table 7: NMap Remote Result Import Authentication Options . . . 58

Table 8: NMap Remote Live Scan Authentication Options . . . 60

Chapter 18 Managing McAfee Vulnerability Manager Scanner . . . 83

Table 9: Remote XML Import Authentication Options . . . 84

Chapter 19 Managing SAINT Scanner . . . 91

Table 10: SAINT Vulnerability Authentication Options . . . 93

Chapter 21 Managing Axis Scanner . . . 97

Table 11: AXIS Scanner - SFTP Properties . . . 98

Table 12: AXIS Scanner - SMB Share Properties . . . 98

Chapter 22 Positive Technologies MaxPatrol . . . 101

Table 13: Positive Technologies MaxPatrol Scanner Details . . . 101

Table 14: Positive Technologies MaxPatrol Scanner SFTP Properties . . . 102

Table 15: Positive Technologies MaxPatrol Scanner SMB Share Properties . . . 103

Chapter 23 Scheduling a Vulnerability Scan . . . 105

Table 16: VA Scanner CIDR Options . . . 105

Table 17: VA Scanner Priority Options . . . 106

Table 18: Scan Schedule Status . . . 106

(8)

(9)

About the Documentation

• Documentation and Release Notes on page ix • Documentation Conventions on page ix • Documentation Feedback on page xi • Requesting Technical Support on page xii

Documentation and Release Notes

To obtain the most current version of all Juniper Networks®technical documentation, see the product documentation page on the Juniper Networks website at

http://www.juniper.net/techpubs/.

If the information in the latest release notes differs from the information in the documentation, follow the product Release Notes.

Juniper Networks Books publishes books by Juniper Networks engineers and subject matter experts. These books go beyond the technical documentation to explore the nuances of network architecture, deployment, and administration. The current list can be viewed athttp://www.juniper.net/books.

Documentation Conventions

(10)

Table 1: Notice Icons

Description Meaning

Icon

Indicates important features or instructions. Informational note

Indicates a situation that might result in loss of data or hardware damage. Caution

Alerts you to the risk of personal injury or death. Warning

Alerts you to the risk of personal injury from a laser. Laser warning

Indicates helpful information. Tip

Alerts you to a recommended use or implementation. Best practice

Table 2 on page xdefines the text and syntax conventions used in this guide.

Table 2: Text and Syntax Conventions

Examples Description

Convention

To enter configuration mode, type the configure command:

user@host> configure Represents text that you type.

Bold text like this

user@host> show chassis alarms No alarms currently active Represents output that appears on the

terminal screen. Fixed-width text like this

• A policy term is a named structure that defines match conditions and actions.

• Junos OS CLI User Guide

• RFC 1997, BGP Communities Attribute • Introduces or emphasizes important

new terms.

• Identifies guide names.

• Identifies RFC and Internet draft titles.

Italic text like this

Configure the machine’s domain name: [edit]

root@# set system domain-name

domain-name

Represents variables (options for which you substitute a value) in commands or configuration statements.

(11)

Table 2: Text and Syntax Conventions (continued)

Examples Description

Convention

• To configure a stub area, include the stubstatement at the[edit protocols ospf area area-id]hierarchy level. • The console port is labeledCONSOLE. Represents names of configuration

statements, commands, files, and directories; configuration hierarchy levels; or labels on routing platform

components. Text like this

stub <default-metric metric>; Encloses optional keywords or variables.

< > (angle brackets)

broadcast | multicast

(string1 | string2 | string3) Indicates a choice between the mutually

exclusive keywords or variables on either side of the symbol. The set of choices is often enclosed in parentheses for clarity. | (pipe symbol)

rsvp { # Required for dynamic MPLS only Indicates a comment specified on the

same line as the configuration statement to which it applies.

# (pound sign)

community name members [ community-ids ]

Encloses a variable for which you can substitute one or more values. [ ] (square brackets) [edit] routing-options { static { route default { nexthop address; retain; } } } Identifies a level in the configuration

hierarchy. Indention and braces ( { } )

Identifies a leaf statement at a configuration hierarchy level. ; (semicolon)

GUI Conventions

• In the Logical Interfaces box, select All Interfaces.

• To cancel the configuration, click Cancel.

Represents graphical user interface (GUI) items you click or select.

Bold text like this

In the configuration editor hierarchy, select Protocols>Ospf.

Separates levels in a hierarchy of menu selections.

> (bold right angle bracket)

Documentation Feedback

We encourage you to provide feedback, comments, and suggestions so that we can improve the documentation. You can provide feedback by using either of the following methods:

• Online feedback rating system—On any page at the Juniper Networks Technical Documentation site athttp://www.juniper.net/techpubs/index.html, simply click the stars to rate the content, and use the pop-up form to provide us with information about your experience. Alternately, you can use the online feedback form at

https://www.juniper.net/cgi-bin/docbugreport/.

(12)

• E-mail—Send your comments to [email protected]. Include the document or topic name, URL or page number, and software version (if applicable).

Requesting Technical Support

Technical product support is available through the Juniper Networks Technical Assistance Center (JTAC). If you are a customer with an active J-Care or JNASC support contract, or are covered under warranty, and need post-sales technical support, you can access our tools and resources online or open a case with JTAC.

• JTAC policies—For a complete understanding of our JTAC procedures and policies, review the JTAC User Guide located at

http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.

• Product warranties—For product warranty information, visit http://www.juniper.net/support/warranty/.

• JTAC hours of operation—The JTAC centers have resources available 24 hours a day, 7 days a week, 365 days a year.

Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features:

• Find CSC offerings:http://www.juniper.net/customers/support/ • Find product documentation:http://www.juniper.net/techpubs/

• Find solutions and answer questions using our Knowledge Base:http://kb.juniper.net/ • Download the latest versions of software and review release notes:

http://www.juniper.net/customers/csc/software/

• Search technical bulletins for relevant hardware and software notifications: http://kb.juniper.net/InfoCenter/

• Join and participate in the Juniper Networks Community Forum: http://www.juniper.net/company/communities/

• Open a case online in the CSC Case Management tool:http://www.juniper.net/cm/ To verify service entitlement by product serial number, use our Serial Number Entitlement (SNE) Tool:https://tools.juniper.net/SerialNumberEntitlementSearch/

Opening a Case with JTAC

You can open a case with JTAC on the Web or by telephone.

• Use the Case Management tool in the CSC athttp://www.juniper.net/cm/.

(13)

For international or direct-dial options in countries without toll-free numbers, see http://www.juniper.net/support/requesting-support.html.

(14)

(15)

PART 1

Juniper Secure Analytics Vulnerability

Assessment

• Vulnerability Assessment Scanner on page 3

• Managing Beyond Security Automatic Vulnerability Detection System Scanner on page 5

• Digital Defense Inc AVS Scanner on page 9 • Managing eEye Scanner on page 13

• Managing IBM Security AppScan Enterprise Scanners on page 19 • Managing an IBM Security Guardium Scanner on page 25 • Managing IBM Security SiteProtector Scanner on page 29

• Managing IBM Security Tivoli Endpoint Manager Scanner on page 33 • Managing Foundstone FoundScan Scanner on page 37

• Microsoft SCCM Scanner on page 41

• Managing nCircle IP360 Scanner on page 45 • Managing Nessus Scanner on page 49 • Managing NMap Scanner on page 57 • Managing Qualys Scanner on page 63

• Managing Juniper Profiler NSM Scanner on page 71 • Managing Rapid7 NeXpose Scanner on page 75

• Managing netVigilance SecureScout Scanner on page 79 • Managing McAfee Vulnerability Manager Scanner on page 83 • Managing SAINT Scanner on page 91

• Managing Tenable SecurityCenter Scanner on page 95 • Managing Axis Scanner on page 97

• Positive Technologies MaxPatrol on page 101 • Scheduling a Vulnerability Scan on page 105

(16)

(17)

CHAPTER 1

Vulnerability Assessment Scanner

This chapter describes about the following sections:

• Vulnerability Assessment Scanner Overview on page 3

Vulnerability Assessment Scanner Overview

Integration with vulnerability assessment scanners provide administrators and security professionals information build vulnerability assessment profiles for network assets. References to Juniper Secure Analytics (JSA) apply to all products capable of collecting vulnerability assessment information. Products that support scanners include JSA. Assets and asset profiles created for servers and hosts in your network provide important information to assist you when resolving security issues. Networks, servers, and individual hosts within the network can be extremely complicated. The ability to collect data and view information about an asset is the purpose of the Assets tab. The goal is to connect offenses triggered in your system to physical or virtual assets to provide a starting point in a security investigation. Asset data is helpful to identify threats, to identify vulnerabilities, services, ports, and monitor asset usage in your network.

The Assets tab in JSA is intended to provide a unified view of the information known about your assets. As more information is provided to the system through vulnerability assessment, the system updates the asset profile and incrementally builds a complete picture about your asset. Vulnerability assessment profiles use correlated event data, network activity, and behavioral changes to determine the threat level and vulnerabilities present on critical business assets in your network. Integration with vulnerability assessment products provides administrators the ability to schedule scans and ensure that vulnerability information is relevant for assets in the network.

To collect vulnerability assessment information for JSA, administrators can select a scanner from the following support scanner list:

• For the list of support scanner products, see

“Managing the Supported Vulnerability Scanner” on page 109.

• For the configuration options to add a vulnerability scanner to JSA, see

(18)

• “Managing an IBM Security Guardium Scanner” on page 25. • “Managing IBM Security AppScan Enterprise Scanners” on page 19. • “Managing IBM Security Tivoli Endpoint Manager Scanner” on page 33. • “Managing nCircle IP360 Scanner” on page 45.

• “Managing Nessus Scanner” on page 49. • “Managing NMap Scanner” on page 57. • “Managing Qualys Scanner” on page 63.

• “Managing Foundstone FoundScan Scanner” on page 37. • “Managing Juniper Profiler NSM Scanner” on page 71. • “Managing Rapid7 NeXpose Scanner” on page 75.

• “Managing netVigilance SecureScout Scanner” on page 79. • “Managing McAfee Vulnerability Manager Scanner” on page 83. • “Managing SAINT Scanner” on page 91.

• “Managing Axis Scanner” on page 97.

• “Managing Tenable SecurityCenter Scanner” on page 95.

• To add a scan schedule to import the vulnerability data, see “Scheduling a Vulnerability Scan” on page 105.

(19)

CHAPTER 2

Managing Beyond Security Automatic

Vulnerability Detection System Scanner

• Beyond Security Automatic Vulnerability Detection System Scanner Overview on page 5

• Adding a Beyond Security AVDS Vulnerability Scanner on page 5

Beyond Security Automatic Vulnerability Detection System Scanner Overview

Vulnerability assessment is the evaluation of assets in the network to identify and prioritize potential security issues. Juniper Secure Analytics (JSA) products that support

Vulnerability Assessment can import vulnerability data from external scanner products to identify vulnerabilities profiles for assets.

Vulnerability assessment profiles use correlated event data, network activity, and behavioral changes to determine the threat level and vulnerabilities present on critical business assets in your network. As external scanners generate scan data, JSA can retrieve the vulnerability data with a scan schedule.

To configure a Beyond Security AVDS scanner, see“Adding a Beyond Security AVDS Vulnerability Scanner” on page 5.

Adding a Beyond Security AVDS Vulnerability Scanner

Beyond Security Automated Vulnerability Detection System (AVDS) appliances create vulnerability data in Asset Export Information Source (AXIS) format. AXIS formatted files can be imported by XML files that can be imported.

(20)

be published to a remote server that is accessible by using Secure File Transfer Protocol (SFTP). The term remote server refers to any appliance, 3rd party host, or network storage location that can host the published XML scan result files.

The most recent XML results containing Beyond Security AVDS vulnerabilities are imported to when a scan schedule starts. Scan schedules determine the frequency with which vulnerability data created by Beyond Security AVDS is imported. After you add your Beyond Security AVDS appliance to JSA, you can then create a scan schedule to import the scan result files. Vulnerabilities from the scan schedule updates the Assets tab after the scan schedule completes.

To add a Beyond Security AVDS Vulnerability Scanner to JSA:

1. Click the Admin tab.

2. Click the VA Scanners icon.

3. Click Add.

4. In the Scanner Name field, type a name to identify your Beyond Security AVDS scanner.

5. From the Managed Host list, select the managed host from your JSA deployment that manages the scanner import.

6. From the Type list, select Beyond Security AVDS.

7. In the Remote Hostname field, type the IP address or host name of the system that contains the published scan results from your Beyond Security AVDS scanner.

8. Choose one of the following authentication options as described inTable 3 on page 6.

Table 3: Beyond Security AVDS Vulnerability Scanner Authentication Options

Description

Option

To authenticate with a username and password:

1. In the Login Username field, type a username that has access to retrieve the scan results from the remote host.

2. In the Login Password field, type the password associated with the username. Login Username

To authenticate with a key-based authentication file: 1. Select theEnable Key Authenticationcheck box.

2. In the Private Key File field, type the directory path to the key file. The default is directory for the key file is/opt/ qradar/conf/vis.ssh.key. If a key file does not exist, you must create the vis.ssh.key file.

Enable Key Authorization

9. In the Remote Directory field, type the directory location of the scan result files.

10.In the File Name Pattern field, type a regular expression (regex) required to filter the list of files specified in the Remote Directory. All matching files are included in the processing.

(21)

11. In the Max Reports Age (Days) field, type the maximum file age for your scan results file. Files that are older than the specified days and timestamp on the report file are excluded when the schedule scan starts. The default value is 7 days.

12.To configure the Ignore Duplicates option:

• Select this check box to track files that have already been processed by a scan schedule. This option prevents a scan result file from being processed a second time.

• Clear this check box to import vulnerability scan results each time the scan schedule starts. This option can lead to multiple vulnerabilities being associated with an asset.

If a result file is not scanned within 10 days, the file is removed from the tracking list and is processed the next time the scan schedule starts.

13.To configure a CIDR range for your scanner:

a. In the text field, type the CIDR range for the scan or click Browse to select a CIDR range from the network list.

b. Click Add.

14.Click Save.

15.On the Admin tab, click Deploy Changes.

To create a scan schedule, see“Scheduling a Vulnerability Scan” on page 105 Related

Documentation

• Vulnerability Assessment Scanner Overview on page 3.

• Viewing the Status Of a Vulnerability Scan on page 106 • Adding an eEye REM SNMP Scan on page 13

(22)

(23)

CHAPTER 3

Digital Defense Inc AVS Scanner

• Digital Defense Inc AVS Scanner Overview on page 9 • Adding a Digital Defense Inc AVS Scanner on page 9

Digital Defense Inc AVS Scanner Overview

You can add a Digital Defense Inc AVS scanner to your Juniper Secure ANalytics (JSA) deployment.

Before you begin

Before you add this scanner, a server certificate is required to support HTTPS connections. JSA supports certificates with the following file extensions: .crt, .cert, or .der. To copy a certificate to the /opt/qradar/conf/trusted_certificates directory, choose one of the following options:

• Manually copy the certificate to the /opt/qradar/conf/trusted_certificates directory by using SCP or SFTP.

• SSH into the console or managed host and retrieve the certificate by using the following command: /opt/qradar/bin/getcert.sh <IP or Hostname> <optional port - 443 default>. A certificate is then downloaded from the specified host name or IP and placed into /opt/qradar/conf/trusted_certificates directory in the appropriate format.

Adding a Digital Defense Inc AVS Scanner on page 9 •

• Adding an eEye REM SNMP Scan on page 13 • Adding an eEye REM JDBC Scan on page 15

Adding a Digital Defense Inc AVS Scanner

(24)

At intervals that are determined by a scan schedule, Juniper Secure Analytics (JSA) imports the most recent XML results that contain Digital Defense Inc AVS vulnerabilities. To enable communication with the Digital Defense Inc AVS scanner, JSA uses the credentials that you specify in the scanner configuration.

The following list provides more information about Digital Defense Inc AVS scanner parameters:

Remote Hostname

The host name of the remote server that hosts the Digital Defense Inc AVS scanner. Remote Port

The port number of the remote server that hosts the Digital Defense Inc AVS scanner. Remote URL

The URL of the remote server that hosts the Digital Defense Inc AVS scanner. Client ID

The master client ID that uses to connect to the Digital Defense Inc AVS scanner. Host Scope

When set to Internal, retrieves the active view for the internal hosts of the Digital Defense Inc AVS scanner. When set to External, retrieves the external active view of the Digital Defense Inc AVS scanner.

Retrieve Data For Account

The Default option indicates that the data is included from only the specified Client ID. If you want to include data from the Client ID and all its sub accounts, select All Sub Accounts. If you want to specify a single, alternate client ID, select Alternate Client ID. Correlation Method

Specifies the method by which vulnerabilities are correlated.

• The All Available option queries the Digital Defense Inc vulnerability catalog and attempts to correlate vulnerabilities that are based on all the references that are returned for that specific vulnerability. References might include CVE, Bugtraq, Microsoft Security Bulletin, and OSVDB. Multiple references often correlate to the same

vulnerability, but returns more results and take longer to process than the CVE option.

• The CVE option correlates vulnerabilities that are based only on the CVE-ID. Procedure

To add a Digital Defense Inc AVS Scanner:

(25)

4. Click Add.

5. From the Type list box, select Digital Defense Inc AVS.

6. Configure the parameters.

7. To configure the CIDR ranges you want this scanner to consider, type the CIDR range, or click Browse to select the CIDR range from the network list.

8. Click Add.

9. Click Save.

10.On the Admin tab, click Deploy Changes. What to do next

After you add your Digital Defense Inc AVS scanner, you can add a scan schedule to retrieve your vulnerability information.

• Digital Defense Inc AVS Scanner Overview on page 9 • Adding an eEye REM SNMP Scan on page 13

• Adding an eEye REM JDBC Scan on page 15

(26)

(27)

CHAPTER 4

Managing eEye Scanner

• eEye Scanner Overview on page 13

• Adding an eEye REM SNMP Scan on page 13 • Adding an eEye REM JDBC Scan on page 15

• Installing the Unrestricted Java Cryptography Extension on page 17

eEye Scanner Overview

Juniper Secure Analytics (JSA) can collect vulnerability data from eEye REM Security Management console or eEye Retina CS scanners.

The following protocol options are available to collect vulnerability information from eEye scanners:

• Add a SNMP protocol eEye scanner. See“Adding an eEye REM SNMP Scan” on page 13.

• Add a JDBC protocol eEye scanner. See“Adding an eEye REM JDBC Scan” on page 15.

Adding an eEye REM JDBC Scan on page 15 •

Adding an eEye REM SNMP Scan

Administrators can add a scanner to collect vulnerability data over SNMP from eEye REM or CS Retina scanners.

(28)

To receive the most up-to-date CVE information, administrators must periodically update Juniper Secure Analytics (JSA) with the latest audits.xml file.

Procedure

To add an eEye REM scanner to JSA:

3. Click Add.

4. In the Scanner Name field, type a name to identify your SecureScout server.

6. From the Type list, select eEye REM Scanner.

7. From the Import Type list, select SNMP.

8. In the Base Directory field, type a location to store the temporary files that contain the eEye REM scan data. The default directory is /store/tmp/vis/eEye/.

9. In the Cache Size field, type the number of transactions you want to store in the cache before the SNMP data is written to the temporary file. The default is 40.

The default value is 40 transactions.

10.In the Retention Period field, type the time period, in days, that the system stores scan information. If a scan schedule has not imported data before the retention period expires, the scan information from the cache is deleted.

11. Select the Use Vulnerability Data check box to correlate eEye vulnerabilities to Common Vulnerabilities and Exposures (CVE) identifiers and description information.

12.In the Vulnerability Data File field, type the directory path to the eEye audits.xml file.

13.In the Listen Port field, type the port number that is used to monitor for incoming SNMP vulnerability information from your eEye REM scanner.

The default port is 1162.

14.In the Source Host field, type the IP address of the eEye scanner.

15.From the SNMP Version list, select the SNMP protocol version. The default protocol is SNMPv2.

16.In the Community String field, type the SNMP community string for the SNMPv2 protocol. For example, Public.

17. From the Authentication Protocol list, select the algorithm to authenticate SNMPv3 traps. The options include:

• SHA—Select this option to use Secure Hash Algorithm (SHA) as your authentication protocol.

(29)

18.In the Authentication Password field, type the password that you want to use to authenticate SNMPv3 communication.

The password must include a minimum of eight characters.

19.From the Encryption Protocol list, select the SNMPv3 decryption algorithm. The options include:

• DES—Select this option to use the Data Encryption Standard (DES).

• AES128—Select this option to use the 128-bit Advanced Encryption Standard (AES).

20.In the Encryption Password field, type the password required to decrypt SNMPv3 traps.

b. Click Add.

22.Click Save.

23.On the Admin tab, click Deploy Changes. Select one of the following options:

• If you do not use SNMPv3 or use low-level SNMP encryption, you are now ready to create a scan schedule. See“Scheduling a Vulnerability Scan” on page 105.

• If your SNMPv3 configuration uses AES192 or AES256 encryption, you must install the unrestricted Java cryptography extension on each console or managed host that receives SNMPv3 traps. See“Installing the Unrestricted Java Cryptography Extension” on page 17.

Installing the Unrestricted Java Cryptography Extension on page 17 •

Adding an eEye REM JDBC Scan

Administrators can add a scanner to collect vulnerability data over JDBC from eEye REM or CS Retina scanners.

Before you configure Juniper Secure Analytics (JSA) to poll for vulnerability data, we suggest you create a database user account and password for JSA. If you assign the user account read-only permission to the RetinaCSDatabase, you can restrict access to the database that contains the eEye vulnerabilities. The JDBC protocol enables JSA to log

(30)

in and poll for events from the MSDE database. Ensure that no firewall rules block communication between the eEye scanner and the console or managed host responsible for polling with the JDBC protocol. If you use database instances, you must verify port 1433 is available for the SQL Server Browser Service to resolve the instance name. Procedure

To add an eEye REM JDBC scanner to JSA:

3. Click Add.

6. From the Type list, select eEye REM Scanner.

7. From the Import Type list, select JDBC.

8. In the Hostname field, type the IP address or the host name of the eEye database.

9. In the Port field, type 1433.

10.Optional. In the Database Instance field, type the database instance for the eEye database.

If a database instance is not used, administrators can leave this field blank.

11. In the Username field, type the username required to query the eEye database.

12.In the Password field, type the password required to query the eEye database.

13.In the Domain field, type the domain required, if required, to connect to the eEye database.

If the database is configured for Windows and inside a domain, you must specify the domain name.

14.In the Database Name field, type RetinaCSDatabase as the database name.

15.Select the Use Named Pipe Communication check box if named pipes are required to communicate to the eEye database. By default, this check box is clear.

16.Select the Use NTLMv2 check box if the eEye scanner uses NTLMv2 as an authentication protocol. By default, this check box is clear.

The Use NTLMv2 check box forces MSDE connections to use the NTLMv2 protocol when communicating with SQL servers that require NTLMv2 authentication. The Use NTLMv2 check box is selected, it has no effect on MSDE connections to SQL servers that do not require NTLMv2 authentication.

17. To configure a CIDR range for the scanner:

(31)

b. Click Add.

18.Click Save.

To create a scan schedule, see“Scheduling a Vulnerability Scan” on page 105. Related

Documentation

Adding an eEye REM JDBC Scan on page 15 •

Installing the Unrestricted Java Cryptography Extension

The Java Cryptography Extension (JCE) is a Java framework that is required to decrypt advanced cryptography algorithms for AES 192-bit or AES 256-bit SNMPv3 traps. Each managed host that receives SNMPv3 traps with high-level requires the unrestricted JCE. You must repeat this process on each appliance that listens If you require advanced cryptography algorithms for SNMP communication, you must update the existing cryptography extension on your managed host with an unrestricted JCE.

Procedure

To Install the Unrestricted Java Cryptography Extension to Juniper Secure Analytics (JSA):

1. Using SSH, log in to your JSA console.

2. To verify the version of Java on the console, type the following command:

java -version

NOTE: The JCE file must match the version of the Java installed on the console.

3. Download the latest version of the Java Cryptography Extension.

4. Secure copy (SCP) the local.policy.jar and US_export_policy.jar file to the following directory of the console:

/opt/ibm/java-[version]/jre/lib/security/

5. Optional. Distributed deployments require administrators to copy the local.policy.jar and US_export_policy.jar files from the console appliance to the managed host. To create a scan schedule, see“Scheduling a Vulnerability Scan” on page 105. Related

Documentation

• Adding a Beyond Security AVDS Vulnerability Scanner on page 5 • Adding an eEye REM SNMP Scan on page 13

• Adding an eEye REM JDBC Scan on page 15

(32)

(33)

CHAPTER 5

Managing IBM Security AppScan

Enterprise Scanners

• IBM Security SiteProtector Scanner Overview on page 19 • Creating a Customer User Type for IBM AppScan on page 20

• Enabling Integration with IBM Security AppScan Enterprise on page 20

• Creating an Application Deployment Map in IBM Security AppScan Enterprise on page 21 • Publishing the Completed Reports in IBM AppScan on page 22

• Adding an IBM AppScan Vulnerability Scanner on page 22

IBM Security SiteProtector Scanner Overview

The IBM SiteProtector scanner module for Juniper Secure Analytics (JSA) accesses vulnerability data from IBM SiteProtector scanners through Java Database Connectivity (JDBC) queries.

The IBM SiteProtector scanner retrieves vulnerability data from the RealSecureDB table and polls for new vulnerabilities each time a scan schedule starts. The Compare field enables the query to retrieve any new vulnerabilities from the RealSecureDB table to ensure that duplicate vulnerabilities are not imported. When the IBM SiteProtector scanner is configured, the administrator can create a SiteProtector user account specifically for polling vulnerability data. After the user account is created, the administrator can verify that there are no firewalls that reject queries on the port configured to poll the database. To configure an IBM Security SiteProtector scanner, see“Adding an IBM SiteProtector Vulnerability Scanner” on page 29.

Adding an IBM SiteProtector Vulnerability Scanner on page 29 •

(34)

Creating a Customer User Type for IBM AppScan

Custom user types allow administrators to perform limited and specific administrative tasks and must be created before you can assign permissions.

Procedure

To create a customer user type for IBM AppScan:

1. Log in to your IBM AppScan Enterprise appliance.

2. Click the Administration tab.

3. On the User Types page, click Create.

4. Select all of the following user permissions:

• Configure Juniper Secure Analytics (JSA) Integration—Select this check box to allow users to access the JSA integration options for AppScan Enterprise.

• Publish to JSA—Select this check box to allow JSA access to published scan report data.

• JSA Service Account—Select this check box to add access to the REST API for the user account. This permission does not provide access the user interface.

5. Click Save.

You are now ready to enable integration permissions. See“Enabling Integration with IBM Security AppScan Enterprise” on page 20.

• Creating a Customer User Type for IBM AppScan on page 20

• Creating an Application Deployment Map in IBM Security AppScan Enterprise on page 21

Enabling Integration with IBM Security AppScan Enterprise

IBM Security AppScan Enterprise must be configured to enable integration with Juniper Secure Analytics (JSA). To complete these steps, you must be logged in with the user type you created in the previous step.

Procedure

To enable integration with IBM SecurityAppScan Enterprise:

2. On the Navigation menu, select Network Security Systems.

3. On the JSA Integration Setting pane, click Edit.

(35)

Any reports previously published to JSA are displayed. If any of the reports displayed are no longer required, you can remove them from the list. As you publish additional reports to JSA, the reports are displayed in this list.

You are now ready to configure the Application Deployment Mapping in AppScan Enterprise. See“Creating an Application Deployment Map in IBM Security AppScan Enterprise” on page 21.

Creating a Customer User Type for IBM AppScan on page 20 •

• Enabling Integration with IBM Security AppScan Enterprise on page 20 • Adding an IBM SiteProtector Vulnerability Scanner on page 29

Creating an Application Deployment Map in IBM Security AppScan Enterprise

The Application Deployment Map allows AppScan Enterprise to determine the locations hosting the application in your production environment.

As vulnerabilities are discovered, AppScan Enterprise knows the locations of the hosts and the IP addresses affected by the vulnerability. If an application is deployed to several hosts, then AppScan Enterprise generates a vulnerability for each host in the scan results. Procedure

To create an application deployment map in IBM Security AppScan Enterprise:

2. On the Navigation menu, select Network Security Systems.

3. On the Juniper Secure Analytics (JSA) Integration Setting pane, click Edit.

4. In the Application test location (host or pattern) field, type the test location of your application.

5. In the Application production location (host) field, type the IP address of your production environment.

To add vulnerability information to JSA, your Application Deployment Mapping must include an IP address. Any vulnerability data without an IP address is excluded from JSA if the IP address is not available in the AppScan Enterprise scan results.

6. Click Add.

7. Repeat this procedure to map any more production environments in AppScan Enterprise.

8. Click Done.

You are now ready to publish completed reports. See“Publishing the Completed Reports in IBM AppScan” on page 22.

Adding an IBM AppScan Vulnerability Scanner on page 22 •

(36)

Publishing the Completed Reports in IBM AppScan

Completed vulnerability reports generated by AppScan Enterprise must be made accessible to Juniper Secure Analytics (JSA) by publishing the report.

Procedure

To publish the completed reports in IBM AppScan:

1. Click the Jobs & Reports tab.

2. Navigate to the security report you want to make available to JSA.

3. On the menu bar of any security report, select Publish > Grant to provide report access to JSA.

4. Click Save.

You are now ready to enable integration permissions. See“Adding an IBM AppScan Vulnerability Scanner” on page 22.

Adding an IBM AppScan Vulnerability Scanner on page 22 •

• Creating an Application Deployment Map in IBM Security AppScan Enterprise on page 21 • Creating a Customer User Type for IBM AppScan on page 20

Adding an IBM AppScan Vulnerability Scanner

Adding a scanner enables administrators to define which scan reports in IBM Security AppScan are collected by Juniper Secure Analytics (JSA).

Administrators can add multiple IBM AppScan scanners to JSA, each with a different configuration. Multiple configurations provide JSA the ability to import AppScan data for specific results. The scan schedule determines the frequency with which scan result are imported from the REST web service in IBM AppScan Enterprise.

Procedure

To add an IBM AppScan Vulnerability Scanner to JSA:

3. Click Add.

4. In the Scanner Name field, type a name to identify your IBM AppScan Enterprise scanner.

(37)

6. From the Type list, select IBM AppScan Scanner.

7. In the ASE Instance Base URL field, type the full base URL of the AppScan Enterprise instance.

This field supports HTTP and HTTPS addresses. For example, http://myasehostname/ase/.

8. From the Authentication Type list, select one of the following options:

• Windows Authentication–Select this option to use Windows Authentication with the REST web service.

• Jazz Authentication–Select this option to use Jazz Authentication with the REST web service.

9. In the Username field, type the username required to retrieve scan results from AppScan Enterprise.

10.In the Password field, type the password required to retrieve scan results from AppScan Enterprise.

11. In the Report Name Pattern field, type a regular expression (regex) required to filter the list of vulnerability reports available from AppScan Enterprise.

By default, the Report Name Pattern field contains .* as the regex pattern. The .* pattern imports all scan reports that are published to JSA. All matching files from the file pattern are processed by JSA. You can specify a group of vulnerability reports or an individual report using a regex pattern.

a. In the text field, type the CIDR range for the scanner or click Browse to select a CIDR range from the network list.

b. Click Add.

13.Click Save.

You are now ready to create a scan schedule for IBM Security AppScan Enterprise. See “Scheduling a Vulnerability Scan” on page 105.

• Publishing the Completed Reports in IBM AppScan on page 22

• Creating an Application Deployment Map in IBM Security AppScan Enterprise on page 21 • Creating a Customer User Type for IBM AppScan on page 20

(38)

(39)

CHAPTER 6

Managing an IBM Security Guardium

Scanner

• IBM Security Guardium Scanner Overview on page 25

• Adding an IBM Security Guardium Vulnerability Scanner on page 26

IBM Security Guardium Scanner Overview

IBM InfoSphere Guardium appliances are capable of exporting database vulnerability information that can be critical to protecting customer data.

IBM Guardium audit processes export the results of tests that fail the Common Vulnerability and Exposures (CVE) tests generated when running security assessment tests on your IBM Guardium appliance. The vulnerability data from IBM Guardium must be exported to a remote server or staging server in Security Content Automation Protocol (SCAP) format. JSA can then retrieve the scan results from the remote server storing the vulnerability using SFTP.

IBM Guardium only exports vulnerability from databases containing failed CVE test results. If there are no failed CVE tests, IBM Guardium may not export a file at the end of the security assessment. For information on configuring security assessment tests and creating an audit process to export vulnerability data in SCAP format, see your IBM InfoSphere Guardium documentation.

After you have configured your IBM Guardium appliance, you are ready to configure JSA to import the results from the remote server hosting the vulnerability data. You must add an IBM Guardium scanner to JSA and configure the scanner to retrieve data from your remote server. The most recent vulnerabilities are imported by JSA when you create a scan schedule. Scan schedules allow you to determine the frequency with which JSA requests data from the remote server host your IBM Guardium vulnerability data. Integration overview for IBM InfoSphere Guardium and JSA.

To integrate IBM InfoSphere Guardium with JSA:

(40)

2. On your JSA console, add an IBM Guardium scanner. See“Adding an IBM Security Guardium® Vulnerability Scanner” on page 26.

3. On your JSA console, create a scan schedule to import scan result data. See “Scheduling a Vulnerability Scan” on page 105

Adding an IBM Security Guardium® Vulnerability Scanner on page 26 •

• Publishing the Completed Reports in IBM AppScan on page 22

Adding an IBM Security Guardium Vulnerability Scanner

Adding a scanner allows Juniper Secure Analytics (JSA) to collect SCAP vulnerability files from IBM InfoSphere Guardium.

Administrators can add multiple IBM Guardium scanners to JSA, each with a different configuration. Multiple configurations provide JSA the ability to import vulnerability data for specific results. The scan schedule determines the frequency with which the SCAP scan result are imported from IBM InfoSphere Guardium.

Procedure

To add an IBM Security Guardium Vulnerability Scanner to JSA:

3. Click Add.

4. In the Scanner Name field, type a name to identify your IBM AppScan Enterprise scanner.

6. From the Type list, select IBM Guardium SCAP Scanner.

7. Choose one of the following authentication options as described inTable 4 on page 26.

Table 4: IBM AppScan Enterprise Scanner Authentication Options

Description

Option

To authenticate with a username and password:

1. In the Login Username field, type a username that has access to retrieve the scan results from the remote host.

(41)

Table 4: IBM AppScan Enterprise Scanner Authentication Options (continued)

Description

Option

To authenticate with a key-based authentication file: 1. Select theEnable Key Authenticationcheck box.

2. In the Private Key File field, type the directory path to the key file. The default is directory for the key file is/opt/ qradar/conf/vis.ssh.key. If a key file does not exist, you must create thevis.ssh.keyfile.

Enable Key Authorization

8. To configure the Ignore Duplicates option:

• Select this check box to track files that have already been processed by a scan schedule. This option prevents a scan result file from being processed a second time.

• Clear this check box to import vulnerability scan results each time the scan schedule starts. This option can lead to multiple vulnerabilities being associated with an asset.

If a result file is not scanned within 10 days, the file is removed from the tracking list and is processed the next time the scan schedule starts.

9. To configure a CIDR range for your scanner:

b. Click Add.

10.Click Save.

11. On the Admin tab, click Deploy Changes.

You are now ready to create a scan schedule for IBM InfoSphere Guardium. See “Scheduling a Vulnerability Scan” on page 105.

• IBM Security SiteProtector Scanner Overview on page 19 • Publishing the Completed Reports in IBM AppScan on page 22

(42)

(43)

CHAPTER 7

Managing IBM Security SiteProtector

Scanner

This chapter describes about the following sections.

• IBM Security SiteProtector Scanner Overview on page 29 • Adding an IBM SiteProtector Vulnerability Scanner on page 29

IBM Security SiteProtector Scanner Overview

The IBM SiteProtector scanner module for Juniper Secure Analytics (JSA) accesses vulnerability data from IBM SiteProtector scanners through Java Database Connectivity (JDBC) queries.

The IBM SiteProtector scanner retrieves vulnerability data from the RealSecureDB table and polls for new vulnerabilities each time a scan schedule starts. The Compare field enables the query to retrieve any new vulnerabilities from the RealSecureDB table to ensure that duplicate vulnerabilities are not imported. When the IBM SiteProtector scanner is configured, the administrator can create a SiteProtector user account specifically for polling vulnerability data. After the user account is created, the administrator can verify that there are no firewalls that reject queries on the port configured to poll the database. To configure an IBM Security SiteProtector scanner, see“Adding an IBM SiteProtector Vulnerability Scanner” on page 29.

Adding an IBM SiteProtector Vulnerability Scanner

Juniper Secure Analytics (JSA) can poll IBM InfoSphere SiteProtector appliances for vulnerability data with JDBC.

(44)

frequency with which the database on the SiteProtector scanner is queried for vulnerability data.

Procedure

To add an IBM SiteProtector Vulnerability scanner to JSA:

3. Click Add.

6. From the Type list, select IBM SiteProtector Scanner.

7. In the Hostname field, type the IP address or the host name of the IBM SiteProtector database that contains vulnerabilities to import.

8. In the Port field, type 1433 as the port for the IBM SiteProtector database.

9. In the Username field, type the username required to query the IBM SiteProtector database.

10.In the Password field, type the password required to query the IBM SiteProtector database.

11. In the Domain field, type the domain required, if required, to connect to the IBM SiteProtector database.

If the database is configured for Windows and inside a domain, you must specify the domain name.

12.In the Database Name field, type RetinaCSDatabase as the database name.

13.In the Database Instance field, type the database instance for the IBM SiteProtector database. If you are not using a database instance, you can leave this field blank.

14.Select the Use Named Pipe Communication check box if named pipes are required to communicate to the IBM SiteProtector database. By default, this check box is clear.

15.Select the Use NTLMv2 check box if the eEye scanner uses NTLMv2 as an authentication protocol. By default, this check box is clear.

The Use NTLMv2 check box forces MSDE connections to use the NTLMv2 protocol when communicating with SQL servers that require NTLMv2 authentication. The Use NTLMv2 check box is selected, it has no effect on MSDE connections to SQL servers that do not require NTLMv2 authentication.

16.To configure a CIDR range for the scanner:

a. In the text field, type the CIDR range you want this scanner to consider or click Browseto select a CIDR range from the network list.

(45)

17. Click Save.

18.On the Admin tab, click Deploy Changes. You are now ready to create a scan schedule. See “Scheduling a Vulnerability Scan” on page 105. Related

Documentation

(46)

(47)

CHAPTER 8

Managing IBM Security Tivoli Endpoint

Manager Scanner

• IBM Security Tivoli Endpoint Manager Scanner Overview on page 33

• Adding an IBM Security Tivoli Endpoint Manager Vulnerability Scanner on page 33

IBM Security Tivoli Endpoint Manager Scanner Overview

The IBM Tivoli Endpoint Manager scanner module accesses vulnerability data from IBM Tivoli Endpoint Manager using the SOAP API installed with the Web Reports application. The Web Reports application for Tivoli Endpoint Manager is required to retrieve

vulnerability data from Tivoli Endpoint Manager for Juniper Secure Analytics (JSA). Administrators can create a user in IBM Tivoli Endpoint Manager for JSA to use when the system collects vulnerabilities.

NOTE: JSA is compatible with IBM Tivoli Endpoint Manager versions 8.2.x. However, administrators can use the latest version of IBM Tivoli Endpoint Manager that is available.

To add an IBM Tivoli Endpoint Manager scanner, see“Adding an IBM Security Tivoli Endpoint Manager Vulnerability Scanner” on page 33.

Adding an IBM Security Tivoli Endpoint Manager Vulnerability Scanner on page 33 •

• Creating a Customer User Type for IBM AppScan on page 20 • IBM Security Tivoli Endpoint Manager Scanner Overview on page 33

Adding an IBM Security Tivoli Endpoint Manager Vulnerability Scanner

(48)

You can add multiple IBM Tivoli Endpoint Manager scanners in JSA, each with a different configuration to determine which CIDR ranges you want the scanner to consider. Multiple configurations for a single IBM Tivoli Endpoint Manager scanner allows you to create individual scanners for collecting specific result data from specific locations or vulnerabilities for specific types of operating systems.

Procedure

To add an IBM Security Tivoli Endpoint Manager Vulnerability scanner to JSA:

3. Click Add.

6. From the Type list, select IBM Tivoli Endpoint Manager.

7. In the Hostname field, type the IP address or hostname of the IBM Tivoli Endpoint Manager containing the vulnerabilities you want to retrieve with the SOAP API.

8. In the Port field, type the port number used to connect to the IBM Tivoli Endpoint Manager using the SOAP API.

By default, port 80 is the port number for communicating with IBM Tivoli Endpoint Manager. If you use HTTPS, you must update this field with the HTTPS port number, which for most configurations is port 443.

9. Select the Use HTTPS check box to connect securely with the HTTPS protocol. If you select this check box, the hostname or IP address you specify uses HTTPS to connect to your IBM Tivoli Endpoint Manager.

If a certificate is required to connect using HTTPS, you must copy any certificates required by the JSA console or managed host to the following directory:

/opt/qradar/conf/trusted_certificates

NOTE: JSA support certificates with the following file extensions: .crt, .cert, or .der. Any required certificates should be copied to the trusted certificates directory before you save and deploy your changes.

10.In the Username field, type the username required to access IBM Tivoli Endpoint Manager.

11. In the Password field, type the password required to access IBM Tivoli Endpoint Manager.

(49)

b. Click Add.

13.Click Save.

You are now ready to create a scan schedule for IBM Security Tivoli Endpoint Manager. See“Scheduling a Vulnerability Scan” on page 105.

• Creating a Customer User Type for IBM AppScan on page 20 • IBM Security Tivoli Endpoint Manager Scanner Overview on page 33 • Foundstone FoundScan Scanner Overview on page 37

(50)

(51)

CHAPTER 9

Managing Foundstone FoundScan

Scanner

• Foundstone FoundScan Scanner Overview on page 37 • Adding a Foundstone FoundScan Scanner on page 38 • Importing Certificates for Foundstone FoundScan on page 39

Foundstone FoundScan Scanner Overview

The Foundstone FoundScan scanner queries the FoundScan Engine for host and vulnerability information from the FoundScan OpenAPI.

Juniper Secure Analytics (JSA) supports Foundstone FoundScan versions 5.0 to 6.5. The FoundScan appliance must include a scan configuration that runs regularly to keep the host and vulnerability results current. To ensure that the FoundScan scanner is able to retrieve scan information, make sure the FoundScan system meets the following requirements:

• The FoundScan application must be active. Since the API provides access to the FoundScan application, administrators can verify that the FoundScan application runs continuously on the FoundScan server.

• The scan data to import must be complete and visible in the FoundScan user interface to retrieve scan results. If the scan is scheduled to be removed after completion, the results must be imported by the scan schedule before the scan is removed from FoundScan.

• The appropriate user privileges must be configured in the FoundScan application to enable communication between JSA and FoundScan. The FoundScan OpenAPI provides host and vulnerability information. All vulnerabilities for a host assigned are assigned to port 0.

(52)

administrators must import the appropriate certificates and keys. Instructions on how to import certificates is provided in this configuration documentation.

To add a FounScan API vulnerability scan, see“Adding a Foundstone FoundScan Scanner” on page 38.

• IBM Security Tivoli Endpoint Manager Scanner Overview on page 33 • Adding a Foundstone FoundScan Scanner on page 38

Adding a Foundstone FoundScan Scanner

Administrators can add a Foundstone FoundScan scanner to collect host and vulnerability information through the FoundScan Open API.

Procedure

To add a Foundstone FoundScan scanner to Juniper Secure Analytics (JSA):

3. Click Add.

Certificates for your FoundScan scanner must reside on the managed host selected in the Managed Host list.

6. From the Type list, select FoundScan Scanner.

7. In the SOAP API URL field, type the IP address or hostname of the Foundstone FoundScan that contains the vulnerabilities you want to retrieve with the SOAP API. For example,https://foundstone IP address:SOAP port, the default value ishttps:// localhost:3800.

8. In the Customer Name field, type the name of the customer that belongs to the username.

9. In the User Name field, type the username required to access the Foundstone FoundScan server.

10.Optional. In the Client IP Address field, type the IP address of the server that you want to perform the scan. By default, this value is not used; however, is necessary when administrators validate some scan environments.

11. Optional. In the Password field, type the password required to access the Foundstone FoundScan server.

(53)

This field can be left blank for JSA. For more information, see your FoundScan administrator.

13.In the Configuration Name field, type the scan configuration name that exists in FoundScan and to which the user has access.

Make sure this scan configuration is active or runs frequently.

14.In the CA Truststore field, type the directory path and filename for the CA truststore file.

The default path is /opt/qradar/conf/foundscan.keystore.

15.In the CA Keystore field, type the directory path and filename for the client keystore. The default path is /opt/qradar/conf/foundscan.truststore.

16.To configure a CIDR range for the scanner:

b. Click Add.

17. Click Save.

Administrators can now import certificates from your FoundScan server to enable communication. See“Importing Certificates for Foundstone FoundScan” on page 39. Related

Documentation

• IBM Security Tivoli Endpoint Manager Scanner Overview on page 33 • Importing Certificates for Foundstone FoundScan on page 39

Importing Certificates for Foundstone FoundScan

Administrators that use custom certificates or a version of Foundstone FoundScan lower than V5.0 must import the appropriate certificates to the managed host from the scanner configuration.

The scanner must be added to a managed host in the scan configuration before certificates are imported from the FoundScan server. The certificates must be imported to the correct managed host to collect vulnerability and host scan data.

Procedure

To import the certificates:

1. Obtain the two certificate files and the pass phrase from your FoundScan administrator.

• The TrustedCA.pem file is the CA certificate for the FoundScan engine.

(54)

• The Portal.pem file certificate is the private key that includes the certificate chain for the client.

2. Using SSH, copy the two pem files to the managed host assigned in your FoundScan configuration. If you have a distributed deployment, you must copy the files to the console and SSH the files from the console appliance to the managed host.

3. Navigate to the directory location of the pem files.

4. To remove the previous keystore certificate from the managed host, type the following command:

rm -f / opt/qradar/conf/foundscan.keystore

5. To remove the previous truststore certificate from the managed host, type the following command:

rm -f / opt/qradar/conf/foundscan.truststore

6. To import the pem files to your managed host, type the following command:

/opt/qradar/bin/ foundstone-cert-import.sh [TrustedCA.pem] [Portal.pem]

7. Repeat the certificate import for any more managed hosts in your deployment that connect to the Foundstone FoundScan appliance.

You are now ready to create a scan schedule. See “Scheduling a Vulnerability Scan” on page 105. Related

Documentation

(55)

CHAPTER 10

Microsoft SCCM Scanner

This chapter describes the following sections:

• Microsoft SCCM Scanner Overview on page 41 • WMI Enablement on Scanner Host on page 41 • Adding a Microsoft SCCM Scanner on page 42

Microsoft SCCM Scanner Overview

Juniper Secure Analytics (JSA) can import scan reports from Microsoft System Center Configuration Manager (SCCM) scanners.

To integrate an Microsoft SCCM scanner, perform the following steps:

1. On your Microsoft SCCM scanner, configure WMI. See“WMI Enablement on Scanner Host” on page 41.

2. If automatic updates are not enabled on your JSA console, download and install the Microsoft SCCM RPM.

3. On your JSA console, add an Microsoft SCCM scanner. See“Adding a Microsoft SCCM Scanner” on page 42.

4. On your JSA console, create a scan schedule to import scan result data. See “Scheduling a Vulnerability Scan” on page 105.

WMI Enablement on Scanner Host on page 41 •

• Adding a Microsoft SCCM Scanner on page 42

WMI Enablement on Scanner Host

Before you can configure a Microsoft SCCM scanner, you must configure your system DCOM settings for each host you want to monitor.

Juniper Secure Analytics

Juniper Secure Analytics

Managing Vulnerability Assessment

2014.4

Table of Contents

Part 1

Juniper Secure Analytics Vulnerability Assessment

Part 2

Index

List of Tables

Part 1

Juniper Secure Analytics Vulnerability Assessment

About the Documentation

Documentation and Release Notes

Documentation Conventions

Table 1: Notice Icons

Table 2: Text and Syntax Conventions

Table 2: Text and Syntax Conventions (continued)

Documentation Feedback

Requesting Technical Support

Self-Help Online Tools and Resources

Opening a Case with JTAC

PART 1

Juniper Secure Analytics Vulnerability

Assessment

CHAPTER 1

Vulnerability Assessment Scanner

Vulnerability Assessment Scanner Overview

CHAPTER 2

Managing Beyond Security Automatic

Vulnerability Detection System Scanner

Beyond Security Automatic Vulnerability Detection System Scanner Overview

Adding a Beyond Security AVDS Vulnerability Scanner

Table 3: Beyond Security AVDS Vulnerability Scanner Authentication Options

CHAPTER 3

Digital Defense Inc AVS Scanner

Digital Defense Inc AVS Scanner Overview

Adding a Digital Defense Inc AVS Scanner

CHAPTER 4

Managing eEye Scanner

eEye Scanner Overview

Adding an eEye REM SNMP Scan

Adding an eEye REM JDBC Scan

Installing the Unrestricted Java Cryptography Extension

CHAPTER 5

Managing IBM Security AppScan

Enterprise Scanners

IBM Security SiteProtector Scanner Overview

Creating a Customer User Type for IBM AppScan

Enabling Integration with IBM Security AppScan Enterprise

Creating an Application Deployment Map in IBM Security AppScan Enterprise

Publishing the Completed Reports in IBM AppScan

Adding an IBM AppScan Vulnerability Scanner

CHAPTER 6

Managing an IBM Security Guardium

Scanner

IBM Security Guardium Scanner Overview

Adding an IBM Security Guardium Vulnerability Scanner

Table 4: IBM AppScan Enterprise Scanner Authentication Options

Table 4: IBM AppScan Enterprise Scanner Authentication Options (continued)

CHAPTER 7

Managing IBM Security SiteProtector

Scanner

IBM Security SiteProtector Scanner Overview

Adding an IBM SiteProtector Vulnerability Scanner

CHAPTER 8

Managing IBM Security Tivoli Endpoint

Manager Scanner

IBM Security Tivoli Endpoint Manager Scanner Overview

Adding an IBM Security Tivoli Endpoint Manager Vulnerability Scanner

CHAPTER 9

Managing Foundstone FoundScan

Scanner

Foundstone FoundScan Scanner Overview

Adding a Foundstone FoundScan Scanner

Importing Certificates for Foundstone FoundScan

CHAPTER 10

Microsoft SCCM Scanner

Microsoft SCCM Scanner Overview

WMI Enablement on Scanner Host